Mobile Emulators and How to Find Them

Mobile commerce (or m-commerce) is practically essential for any online business. The increased use of mobile devices means more users are shopping on their mobile devices. In 2017, m-commerce accounted for 58.9%, or $1.4 trillion, of all e-commerce sales. Businesses are shifting their sights towards mobile devices, but unfortunately, so are cybercriminals.

The problem is that the types of attacks used on mobile devices are more advanced than traditional methods. Cybercriminals are using virtual devices known as emulators to bypass detection. Because of this, emulator-based attacks are considered the "silent threat" to mobile banking and commerce applications. Our clients are completely unaware of emulator traffic in their production environment and are surprised to learn the enormity of the issue.

In this post, we’ll explain what mobile emulators do and how attackers are leveraging them to perpetuate fraud.

Mobile Fraud by the Numbers

As the number of mobile transactions increases, so does the amount of mobile fraud.

To effectively combat mobile fraud, we need to understand where it originates from and how it's being performed.

What Are Emulators?

We commonly think of traffic divided between good vs. fraud traffic, or desktop vs. mobile traffic. However, not all mobile traffic comes from real mobile devices, but from virtual devices – emulators.

An emulator is a virtual simulation of a mobile device. Essentially, it is software that runs a completely mobile environment on another computer, such as a PC. Emulators have many legitimate uses; they were originally developed to facilitate QA tasks, from testing software to running unsupported applications on other devices. For example, app developers can use an emulator to test their Android or iOS apps on a PC without having to use their phones. And emulators have been popular with gamers too.traffic comes from real mobile devices, but from virtual devices – emulators.

What Makes Emulators so Great?

They are flexible, easy and virtual.

Flexibility – you have full control over the environment. You can simulate different device types, operating system (OS) versions, screen sizes and resolutions, GPS coordinates, and more.

Ease of use – creating and running an emulated environment is straightforward using existing tools. No prerequisites or specialized knowledge is required.

Virtual – emulators don't require special devices; they can run locally or in the cloud, are highly scalable, and are cost effective. You can run multiple environments on one computer, or distribute them across several.

Why Fraudsters Use Emulators?

Again, because they are flexible, easy and virtual. Unfortunately, all of these reasons make emulators appealing for cybercriminals as well.

Ease of use creates a low barrier of entry for anyone willing to commit fraud; they easily run on PC or Cloud.

Virtual means the process of creating, managing, and destroying the devices can be fully automated (you can drive them manually or use BOTs) without leaving a physical trace.

The Growing Popularity of Emulators with Fraudsters

Throughout our research, we have come across countless discussions on how to use the software, including step-by-step directions on how to use emulators to commit fraud with stolen credit cards, recommendations on how to bypass fraud detection tools, device types and OS versions to bypass fraud detection tools, and what to do in case you are blocked.

How simple it is, is truly concerning - to say the least.

The image shows a detailed tutorial on how to use emulators to cash out stolen credit cards.

Detecting Emulators with Behavioral Biometrics

Some emulators are easier to detect than others, but all will try to mask their activity. To do this, cybercriminals will use various tricks such as imitating real devices, spoofing signals to sensors, and removing traces of their existence after deleting an emulated device. Although these tricks are sophisticated, they're not foolproof.

Behavioral biometrics is the solution we use to identify emulated devices. Behavioral biometrics works by learning how humans interact with devices in order to identify patterns. By using the sensors embedded in mobile devices, from touch screens to GPS radios, we can extract and analyze hundreds of data points that define exactly how users use their devices. We then apply machine learning algorithms to determine whether or not these data points reflect the properties of a real physical mobile device or an emulated one.

The parameters we identify include how firmly you touch the screen, how fast you tap, swipe, how you move your wrist and palm when touching the screen, and more. Even basic actions modify multiple data points. For example, a single swipe on a touchscreen gives us the position and pressure of the user's finger, as well as the intensity of vibrations created by the accelerometer in response to the action:

Although these interactions generate potentially hundreds of data point, the patterns are consistent across different interactions. For example, the amount of pressure applied when swiping varies for each individual person. However, the fact that this pressure is unique to each individual person is in itself consistent with everyone. In other words, it's rare for two individual people to have the exact same swiping behavior.

As another example, consider the orientation of your phone when swiping. Not only do we move our finger across the screen, but we usually tilt the device towards us when doing so. Again, the amount and the direction varies for each person, but the behavior is consistent. These behaviors—along with dozens of others—create a collection of nuances that can't be easily simulated with a virtual device.

Emulators vs. Man-to-Machine

Unfortunately, emulators are a commonplace occurrence. Traditional fraud detection tools struggle to detect emulated devices, which means you likely have emulated traffic interspersed with genuine traffic from real devices. However, emulators are vulnerable for the same reasons they are powerful: since they are not physical devices, they are not easily capable of providing all of the unique attributes that a physical device can provide.

Behavioral biometrics leverages this vulnerability. By relying on hard-to-spoof data points and parameters, behavioral biometrics makes it exceptionally difficult for emulated devices to pass for physical devices. It does this without relying on specific footprints or classical detection methods, allowing it to work against even the most advanced emulation software.